Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-06 00:10:52 +08:00
Code Packages Activity Actions
discourse/spec/requests/admin/impersonate_controller_spec.rb
Martin Brennan 0ccdd152c0
DEV: Move 4 upcoming changes to stable (#39066) 
No further feedback on these has been received,
so moving to stable. Admins will now be warned
via a problem check if they've manually disabled
any of these.

This also marks the point where these will be enabled
by default for our enterprise hosted customers and
self-hosters.

* enable_auto_grid_images
* rename_faq_to_guidelines
* impersonate_without_logout
* enable_form_templates
2026-04-07 10:05:49 +10:00

150 lines
4.7 KiB
Ruby
Raw Permalink Blame History

# frozen_string_literal: true
RSpec.describe Admin::ImpersonateController do
fab!(:admin)
fab!(:moderator)
fab!(:user)
fab!(:another_admin, :admin)
describe "#index" do
context "when logged in as an admin" do
before { sign_in(admin) }
it "returns success" do
get "/admin/impersonate.json"
expect(response.status).to eq(200)
end
end
shared_examples "impersonation inaccessible" do
it "denies access with a 404 response" do
get "/admin/impersonate.json"
expect(response.status).to eq(404)
expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
end
end
context "when logged in as a moderator" do
before { sign_in(moderator) }
include_examples "impersonation inaccessible"
end
context "when logged in as a non-staff user" do
before { sign_in(user) }
include_examples "impersonation inaccessible"
end
end
describe "#create" do
context "when logged in as an admin" do
before { sign_in(admin) }
it "requires a username_or_email parameter" do
post "/admin/impersonate.json"
expect(response.status).to eq(400)
expect(session[:current_user_id]).to eq(admin.id)
end
it "returns 404 when that user does not exist" do
post "/admin/impersonate.json", params: { username_or_email: "hedonismbot" }
expect(response.status).to eq(404)
expect(session[:current_user_id]).to eq(admin.id)
end
it "raises an invalid access error if the user can't be impersonated" do
post "/admin/impersonate.json", params: { username_or_email: another_admin.email }
expect(response.status).to eq(403)
expect(session[:current_user_id]).to eq(admin.id)
end
it "raises an invalid access error if admin is already impersonating someone" do
User.any_instance.stubs(:is_impersonating).returns(true)
post "/admin/impersonate.json", params: { username_or_email: user.username }
expect(response.status).to eq(403)
expect(session[:current_user_id]).to eq(admin.id)
end
context "with success" do
it "succeeds and logs the impersonation" do
expect do
post "/admin/impersonate.json", params: { username_or_email: user.username }
end.to change { UserHistory.where(action: UserHistory.actions[:impersonate]).count }.by(1)
expect(response.status).to eq(200)
expect(session[:current_user_id]).to eq(admin.id)
expect(admin.user_auth_tokens.last.impersonated_user_id).to eq(user.id)
end
it "also works with an email address" do
post "/admin/impersonate.json", params: { username_or_email: user.email }
expect(response.status).to eq(200)
expect(session[:current_user_id]).to eq(admin.id)
expect(admin.user_auth_tokens.last.impersonated_user_id).to eq(user.id)
end
end
end
shared_examples "impersonation not allowed" do
it "prevents impersonation with a with 404 response" do
expect do
post "/admin/impersonate.json", params: { username_or_email: user.username }
end.not_to change { UserHistory.where(action: UserHistory.actions[:impersonate]).count }
expect(response.status).to eq(404)
expect(session[:current_user_id]).to eq(current_user.id)
end
end
context "when logged in as a moderator" do
before { sign_in(moderator) }
include_examples "impersonation not allowed" do
let(:current_user) { moderator }
end
end
context "when logged in as a non-staff user" do
before { sign_in(user) }
include_examples "impersonation not allowed" do
let(:current_user) { user }
end
end
end
describe "#destroy" do
before { sign_in(admin) }
it "checks if experimental impersonation is allowed for the acting user" do
SiteSettingGroup.create!(name: "impersonate_without_logout", group_ids: "1|2")
SiteSetting.refresh!
post "/admin/impersonate.json", params: { username_or_email: user.username }
delete "/admin/impersonate.json"
expect(response.status).to eq(200)
expect(session[:current_user_id]).to eq(admin.id)
end
it "does not pass routing constraint when current user is not impersonating" do
delete "/admin/impersonate.json"
expect(response.status).to eq(404)
end
it "stops impersonating" do
post "/admin/impersonate.json", params: { username_or_email: user.username }
delete "/admin/impersonate.json"
expect(response.status).to eq(200)
expect(session[:current_user_id]).to eq(admin.id)
end
end
end
View git blame Copy permalink